Managing IAM security credentials for multiple docker containers

There is this project: https://github.com/dump247/docker-ec2-metadata

It acts as a proxy to the instance meta-data endpoint, returning a role specific to the container. I have not used it before, but it seems to solve the use-case you are describing.

Applying least privilege using Roles and Security Groups (even though you didn't mention them) in AWS with EC2 are both best practices to provide a secure environment for your hosting applications, especially when using CloudFormation. However, when you layer a multi-tenant Docker environment on top of that is when things start to fall apart.

The best answer right now to continue to get the benefit of Roles while applying least privilege is to not use a multi-tenant approach. Basically use a one-to-one mapping between EC2 instance and application, but you can still use clusters / ASGs. Docker is still an extremely useful and powerful tool you can use to manage and deploy your applications, but for now Roles apply at the EC2 instance and not the container. That means using separate VMs for each application for now.

If being multi-tenant is more important than Roles then the answer is to not use Roles and distribute AWS credentials to your applications using some other method.

Unfortunately neither of these solutions is very desirable and I expect this specific pain point to be addressed by AWS in the future due mainly to the growing popularity of containers.